public override void ExecuteInternal() { foreach (var hive in Hives) { Log.Debug("Starting " + hive.ToString()); if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex? Capturer)) { Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer?.ToString()); return; } Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) => { try { var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView); if (regObj != null) { DatabaseManager.Write(regObj, RunId); } } catch (InvalidOperationException e) { Log.Debug(e, JsonSerializer.Serialize(registryKey) + " invalid op exept"); } }; Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString()); var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32); var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64); if (Parallelize) { Parallel.ForEach(x86_Enumerable, (registryKey => { IterateOn(registryKey, RegistryView.Registry32); })); Parallel.ForEach(x86_Enumerable, (registryKey => { IterateOn(registryKey, RegistryView.Registry64); })); } else { foreach (var registryKey in x86_Enumerable) { IterateOn(registryKey, RegistryView.Registry32); } foreach (var registryKey in x64_Enumerable) { IterateOn(registryKey, RegistryView.Registry64); } } Log.Debug("Finished " + hive.ToString()); } }
public override void ExecuteInternal() { foreach (var hive in Hives) { Log.Debug("Starting " + hive.ToString()); if (!Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString()) && Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer)) { Log.Debug("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString()); return; } Filter.IsFiltered(AsaHelpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString()); var registryInfoEnumerable = RegistryWalker.WalkHive(hive); Parallel.ForEach(registryInfoEnumerable, (registryKey => { try { var regObj = RegistryKeyToRegistryObject(registryKey); if (regObj != null) { DatabaseManager.Write(regObj, RunId); } } catch (InvalidOperationException e) { Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept"); } })); Log.Debug("Finished " + hive.ToString()); } }
public override void Execute() { Start(); Log.Information(JsonConvert.SerializeObject(DefaultHives)); if (!this.CanRunOnPlatform()) { return; } Truncate(this.runId); Parallel.ForEach(Hives, (hive => { Log.Debug("Starting " + hive.ToString()); if (Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "Registry", "Hive", "Include", hive.ToString())) { } else if (Filter.IsFiltered(Helpers.RuntimeString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer)) { Log.Information("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString()); return; } var registryInfoEnumerable = RegistryWalker.WalkHive(hive); try { Parallel.ForEach(registryInfoEnumerable, (registryObject => { try { Write(registryObject); } // Some registry keys don't get along catch (InvalidOperationException e) { Log.Debug(registryObject.Key + " " + e.GetType()); } })); } catch (Exception e) { Log.Debug(e.GetType().ToString()); Log.Debug(e.Message); Log.Debug(e.StackTrace); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } })); DatabaseManager.Commit(); Stop(); }
public override void ExecuteInternal() { foreach (var hive in Hives) { Log.Debug("Starting " + hive.ToString()); Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) => { Log.Verbose($"Beginning to parse {registryKey.Name} in view {registryView}"); try { var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView); if (regObj != null) { Results.Add(regObj); } } catch (InvalidOperationException e) { Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept"); } Log.Verbose($"Finished parsing {registryKey.Name} in view {registryView}"); }; var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32); var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64); if (Parallelize) { x86_Enumerable.AsParallel().ForAll( registryKey => { IterateOn(registryKey, RegistryView.Registry32); }); x64_Enumerable.AsParallel().ForAll( registryKey => { IterateOn(registryKey, RegistryView.Registry64); }); } else { foreach (var registryKey in x86_Enumerable) { IterateOn(registryKey, RegistryView.Registry32); } foreach (var registryKey in x64_Enumerable) { IterateOn(registryKey, RegistryView.Registry64); } } Log.Debug("Finished " + hive.ToString()); } }
public override void ExecuteInternal() { foreach (var hive in Hives) { Log.Debug("Starting " + hive.ToString()); Action <RegistryKey, RegistryView> IterateOn = (registryKey, registryView) => { try { var regObj = RegistryWalker.RegistryKeyToRegistryObject(registryKey, registryView); if (regObj != null) { DatabaseManager.Write(regObj, RunId); } } catch (InvalidOperationException e) { Log.Debug(e, JsonConvert.SerializeObject(registryKey) + " invalid op exept"); } }; var x86_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry32); var x64_Enumerable = RegistryWalker.WalkHive(hive, RegistryView.Registry64); if (Parallelize) { Parallel.ForEach(x86_Enumerable, (registryKey => { IterateOn(registryKey, RegistryView.Registry32); })); Parallel.ForEach(x86_Enumerable, (registryKey => { IterateOn(registryKey, RegistryView.Registry64); })); } else { foreach (var registryKey in x86_Enumerable) { IterateOn(registryKey, RegistryView.Registry32); } foreach (var registryKey in x64_Enumerable) { IterateOn(registryKey, RegistryView.Registry64); } } Log.Debug("Finished " + hive.ToString()); } }
public override void Execute() { if (!this.CanRunOnPlatform()) { return; } Start(); _ = DatabaseManager.Transaction; Parallel.ForEach(Hives, (hive => { Log.Debug("Starting " + hive.ToString()); if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Hive", "Include", hive.ToString())) { } else if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Hive", "Exclude", hive.ToString(), out Regex Capturer)) { Log.Information("{0} '{1}' {2} '{3}'.", Strings.Get("ExcludingHive"), hive.ToString(), Strings.Get("DueToFilter"), Capturer.ToString()); return; } Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Key", "Exclude", hive.ToString()); var registryInfoEnumerable = RegistryWalker.WalkHive(hive, runId); try { Parallel.ForEach(registryInfoEnumerable, (registryObject => { try { DatabaseManager.Write(registryObject, runId); } catch (InvalidOperationException e) { Logger.DebugException(e); Log.Debug(JsonConvert.SerializeObject(registryObject) + " invalid op exept"); } })); } catch (Exception e) { Logger.DebugException(e); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } })); DatabaseManager.Commit(); Stop(); }
public void ParseComObjects(RegistryKey SearchKey, RegistryView View) { if (SearchKey == null) { return; } List <ComObject> comObjects = new List <ComObject>(); try { Parallel.ForEach(SearchKey.GetSubKeyNames(), (SubKeyName) => { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View); if (RegObj != null) { ComObject comObject = new ComObject(RegObj); foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { var ComKey = CurrentKey.OpenSubKey(ComDetails); var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View); if (obj != null) { comObject.AddSubKey(obj); } } //Get the information from the InProcServer32 Subkey (for 32 bit) string?BinaryPath32 = null; var InProcServer32SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")); if (InProcServer32SubKeys.Any() && InProcServer32SubKeys.First().Values?.TryGetValue("", out BinaryPath32) is bool successful) { if (BinaryPath32 != null && successful) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString(); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath32.Trim(), true); comObject.x86_BinaryName = BinaryPath32; } } // And the InProcServer64 for 64 bit string?BinaryPath64 = null; var InProcServer64SubKeys = comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")); if (InProcServer64SubKeys.Any() && InProcServer64SubKeys.First().Values?.TryGetValue("", out BinaryPath64) is bool successful64) { if (BinaryPath64 != null && successful64) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = FileSystemCollector.FilePathToFileSystemObject(BinaryPath64.Trim(), true); comObject.x64_BinaryName = BinaryPath64; } } comObjects.Add(comObject); } } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Couldn't parse {SubKeyName}"); } }); } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Failing parsing com objects {SearchKey.Name} {e.GetType().ToString()} {e.Message}"); } foreach (var comObject in comObjects) { DatabaseManager.Write(comObject, RunId); } }
/// <summary> /// Parse all the Subkeys of the given SearchKey into ComObjects and returns a list of them /// </summary> /// <param name="SearchKey">The Registry Key to search</param> /// <param name="View">The View of the registry to use</param> public static IEnumerable <CollectObject> ParseComObjects(RegistryKey SearchKey, RegistryView View, bool SingleThreaded = false) { if (SearchKey == null) { return(new List <CollectObject>()); } List <ComObject> comObjects = new List <ComObject>(); var fsc = new FileSystemCollector(new CollectCommandOptions() { SingleThread = SingleThreaded }); Action <string> ParseComObjectsIn = SubKeyName => { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey, View); if (RegObj != null) { ComObject comObject = new ComObject(RegObj); foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { if (ComDetails.Contains("InprocServer32")) { var ComKey = CurrentKey.OpenSubKey(ComDetails); var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View); string?BinaryPath32 = null; if (obj != null && obj.Values?.TryGetValue("", out BinaryPath32) is bool successful) { if (successful && BinaryPath32 != null) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.AsSpan().Slice(1, BinaryPath32.Length - 2).ToString(); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = fsc.FilePathToFileSystemObject(BinaryPath32.Trim()); } } } if (ComDetails.Contains("InprocServer64")) { var ComKey = CurrentKey.OpenSubKey(ComDetails); var obj = RegistryWalker.RegistryKeyToRegistryObject(ComKey, View); string?BinaryPath64 = null; if (obj != null && obj.Values?.TryGetValue("", out BinaryPath64) is bool successful) { if (successful && BinaryPath64 != null) { // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.AsSpan().Slice(1, BinaryPath64.Length - 2).ToString(); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = fsc.FilePathToFileSystemObject(BinaryPath64.Trim()); } } } } comObjects.Add(comObject); } } catch (Exception e) when( e is System.Security.SecurityException || e is ObjectDisposedException || e is UnauthorizedAccessException || e is IOException) { Log.Debug($"Couldn't parse {SubKeyName}"); } }; try { if (SingleThreaded) { foreach (var subKey in SearchKey.GetSubKeyNames()) { ParseComObjectsIn(subKey); } } else { SearchKey.GetSubKeyNames().AsParallel().ForAll(subKey => ParseComObjectsIn(subKey)); } } catch (Exception e) { Log.Debug("Failing parsing com objects {0} {1}", SearchKey.Name, e.GetType()); } return(comObjects); }
public void ParseComObjects(RegistryKey SearchKey) { if (SearchKey == null) { return; } foreach (string SubKeyName in SearchKey.GetSubKeyNames()) { try { RegistryKey CurrentKey = SearchKey.OpenSubKey(SubKeyName); var RegObj = RegistryWalker.RegistryKeyToRegistryObject(CurrentKey); ComObject comObject = new ComObject() { Key = RegObj, Subkeys = new List <RegistryObject>() }; foreach (string ComDetails in CurrentKey.GetSubKeyNames()) { var ComKey = CurrentKey.OpenSubKey(ComDetails); comObject.Subkeys.Add(RegistryWalker.RegistryKeyToRegistryObject(ComKey)); } //Get the information from the InProcServer32 Subkey (for 32 bit) if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer32")).First().Values.TryGetValue("", out string BinaryPath32); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath32 = BinaryPath32.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath32.StartsWith("\"") && BinaryPath32.EndsWith("\"")) { BinaryPath32 = BinaryPath32.Substring(1, BinaryPath32.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath32.Contains("\\") && !BinaryPath32.Contains("%")) { BinaryPath32 = Path.Combine(Environment.SystemDirectory, BinaryPath32.Trim()); } comObject.x86_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath32.Trim()), true); comObject.x86_BinaryName = BinaryPath32; } // And the InProcServer64 for 64 bit if (comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).Count() > 0 && comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.ContainsKey("")) { comObject.Subkeys.Where(x => x.Key.Contains("InprocServer64")).First().Values.TryGetValue("", out string BinaryPath64); // Clean up cases where some extra spaces are thrown into the start (breaks our permission checker) BinaryPath64 = BinaryPath64.Trim(); // Clean up cases where the binary is quoted (also breaks permission checker) if (BinaryPath64.StartsWith("\"") && BinaryPath64.EndsWith("\"")) { BinaryPath64 = BinaryPath64.Substring(1, BinaryPath64.Length - 2); } // Unqualified binary name probably comes from Windows\System32 if (!BinaryPath64.Contains("\\") && !BinaryPath64.Contains("%")) { BinaryPath64 = Path.Combine(Environment.SystemDirectory, BinaryPath64.Trim()); } comObject.x64_Binary = FileSystemCollector.FileSystemInfoToFileSystemObject(new FileInfo(BinaryPath64.Trim()), true); comObject.x64_BinaryName = BinaryPath64; } DatabaseManager.Write(comObject, runId); } catch (Exception e) { Log.Debug(e, "Couldn't parse {0}", SubKeyName); } } }